diff --git a/Dockerfile b/Dockerfile
index cb5901e..586b864 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,20 +1,25 @@
 ARG ALPINE_VERSION=3.15
 
 FROM alpine:${ALPINE_VERSION}
+ARG ALPINE_VERSION
 
 LABEL zero-downtime.net.image.maintainer="stefan@zero-downtime.net" \
       zero-downtime.net.image.license="AGPLv3"
 
-RUN apk upgrade -U --available --no-cache && \
+RUN cd /etc/apk/keys && \
+    wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
+    echo "@kubezero https://cdn.zero-downtime.net/alpine/v${ALPINE_VERSION}/kubezero" >> /etc/apk/repositories && \
+    apk upgrade -U --available --no-cache && \
     apk add --no-cache \
-    openvpn \
-    nftables \
-    bash \
-    easy-rsa \
-    openvpn-auth-pam \
-    google-authenticator \
-    libqrencode && \
-    ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin
+      openvpn \
+      nftables \
+      bash \
+      easy-rsa \
+      openvpn-auth-pam \
+      google-authenticator \
+      libqrencode \
+      openvpn_exporter@kubezero && \
+      ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin
 
 # Needed by scripts
 ENV OPENVPN=/etc/openvpn
@@ -25,6 +30,7 @@ ENV EASYRSA=/usr/share/easy-rsa \
 VOLUME ["/etc/openvpn"]
 
 EXPOSE 1194/udp
+EXPOSE 9176/tcp
 
 CMD ["ovpn_run"]
 
@@ -33,4 +39,3 @@ RUN chmod a+x /usr/local/bin/*
 
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
-
diff --git a/Makefile b/Makefile
index ad58673..0c67350 100644
--- a/Makefile
+++ b/Makefile
@@ -3,4 +3,3 @@ IMAGE := zdt-openvpn
 REGION := us-east-1
 
 include .ci/podman.mk
-
diff --git a/bin/ovpn_run b/bin/ovpn_run
index 1899d8f..154ca15 100755
--- a/bin/ovpn_run
+++ b/bin/ovpn_run
@@ -128,5 +128,8 @@ if [ $? = 0 ]; then
     fi
 fi
 
+echo "Starting openvpn_exporter"
+openvpn_exporter --openvpn.status_paths /var/run/openvpn-status.log &
+
 echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
 exec openvpn ${ARGS[@]} ${USER_ARGS[@]}
diff --git a/otp/openvpn b/otp/openvpn
index 5c5c441..aa576fd 100644
--- a/otp/openvpn
+++ b/otp/openvpn
@@ -1,7 +1,7 @@
 # Uses google authenticator library as PAM module using a single folder for all users tokens
 # User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
 # See https://github.com/google/google-authenticator-libpam#usersome-user
-auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root
+auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root authtok_prompt=pin
 
 # Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
 account sufficient pam_permit.so